On the Bit Security of Cryptographic Primitives∗y Daniele Micciancioz Michael Walterx May 27, 2019 Abstract We introduce a formal quantitative notion of \bit security" for a general type of cryptographic games (capturing both decision and search problems), aimed at capturing the intuition that a cryptographic primitive with k-bit security is as hard to break as an ideal cryptographic function requiring a brute force attack on a k-bit key space. Our new definition matches the notion of bit security commonly used by cryptographers and cryptanalysts when studying search (e.g., key recovery) problems, where the use of the traditional definition is well established. However, it produces a quantitatively different metric in the case of decision (indistinguishability) problems, where the use of (a straightforward generalization of) the traditional definition is more problematic and leads to a number of paradoxical situations or mismatches between theoretical/provable security and practical/common sense intuition. Key to our new definition is to consider adversaries that may explicitly declare failure of the attack. We support and justify the new definition by proving a number of technical results, including tight reductions between several standard cryptographic problems, a new hybrid theorem that preserves bit security, and an application to the security analysis of indistinguishability primitives making use of (approximate) floating point numbers. This is the first result showing that (standard precision) 53-bit floating point numbers can be used to achieve 100-bit security in the context of cryptographic primitives with general indistinguishability-based security definitions. Previous results of this type applied only to search problems, or special types of decision problems. 1 Introduction It is common in cryptography to describe the level of security offered by a (concrete instantiation of a) cryptographic primitive P by saying that P provides a certain number of bits of security. E.g., one may say that AES offers 110-bits of security as a pseudorandom permuation [6], or that a certain lattice based digital signature scheme offers at least 160-bits of security for a given setting of the parameters. While there is no universally accepted, general, formal definition of bit security, in many cases cryptographers seem to have an intuitive (at least approximate) common understanding of what \n bits of security" means: any attacker that successfully breaks the cryptographic primitive must incur a cost1 of at least T > 2n, or, alternatively, any efficient attack achieves at most < 2−n success probability, or, perhaps, a combination of these two conditions, i.e., for any attack with cost T and success probability , it must be T/ > 2n. The intuition is that 2n is the cost of running a brute force attack to retrieve an n-bit key, or the inverse success probability ∗Research supported in part by the Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research Office under the SafeWare program. Opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views, position or policy of the Government. The second author was also supported by the European Research Council, ERC consolidator grant (682815 - TOCNeT). y c IACR 2018. This article is the final version submitted by the author(s) to the IACR and to Springer-Verlag on February 6, 2018. The version published by Springer-Verlag is available at https://doi.org/10.1007/978-3-319-78381-9_1. zUC San Diego, USA. E-mail: [email protected] xIST Austria, Austria. E-mail: [email protected] 1For concreteness, the reader may think of the cost as the running time of the attack, but other cost measures are possible, and everything we say applies to any cost measure satisfying certain general closure properties, like the fact that the cost of repeating an attack k times is at most k times as large as the cost of a single execution. 1 of a trivial attack that guesses the key at random. In other words, n bits of security means \as secure as an idealized perfect cryptographic primitive with an n-bit key". The appeal and popularity of the notion of bit security (both in theory and in practice) rests on the fact that it nicely sits in between two extreme approaches: • The foundations of cryptography asymptotic approach (e.g., see [10, 9]) which identifies feasible ad- versaries with polynomial time computation, and successful attacks with breaking a system with non- negligible probability. • The concrete security approach [3, 5], which breaks the adversarial cost into a number of different components (running time, oracle queries, etc.), and expresses, precisely, how the adversary's advantage in breaking a cryptographic primitive depends on all of them. The foundational/asymptotic approach has the indubious advantage of simplicity, but it only offers a qual- itative classification of cryptographic functions into secure and insecure ones. In particular, it does not provide any guidance on choosing appropriate parameters and key sizes to achieve a desired level of security in practice. On the other hand, the concrete security treatment delivers (precise, but) substantially more complex security statements, and requires carefully tracking a number of different parameters through secu- rity reductions. In this respect, bit security offers a quantitative, yet simple, security metric, in the form of a single number: the bit security or security level of a primitive, typically understood as the logarithm (to the base 2) of the ratio T/ between the cost T and advantage of the attack, minimized over all possible adversaries. Capturing security level with a single number is certainly convenient and useful: it allows for direct com- parison of the security level of different instances of the same primitive (or even between different primitives altogether), and it provides a basis for the study of tight reductions, i.e., constructions and reductions that approximately preserve the security level. Not surprisingly, bit security is widely used. However, there is no formal definition of this term at this point, but rather just an intuitive common understanding of what this quantity should capture. This understanding has led to some paradoxical situations that suggest that the current \definitions" might not capture exactly what they are meant to. It has been noted that only considering the adversary's running time is a poor measure of the cost of an attack [7, 8]. This is especially true if moving to the non-uniform setting, where an adversary may receive additional advice, and the question of identifying an appropriate cost measure has been studied before [6]. However, the paradoxical situations have not, to this day, been resolved to satisfaction, and it seems that considering only the adversary's resources is insufficient to address this issue. In order to explain the problems with the current situation, we first distinguish between two types of primitives with respect to the type of game that defines their security (see Section 3 for a more formal defi- nition): search primitives and decision primitives. Intuitively, the former are primitives where an adversary is trying to recover some secret information from a large search space, as in a key recovery attack. The latter are games where the adversary is trying to decide if a secret bit is 0 or 1, as in the indistinguishability games underlying the definition of pseudorandom generators or semantically secure encryption. For search games, the advantage of an adversary is usually understood to be the probability of finding said secret information, while for decision games it is usually considered to be the distinguishing advantage (which is equal to the 1 probability that the output of the adversary is correct, over the trivial probability 2 of a random guess). The Peculiar Case of PRGs Informally, a PRG is a function f : f0; 1gn 7! f0; 1gm, where m > n, such that its output under uniform input is indistinguishable from the uniform distribution over f0; 1gm. In the complexity community it is common knowledge according to [8] that a PRG with seed length n cannot provide more than n=2 bits of security under the current definition of security level. This is because there are non-uniform attacks that achieve distinguishing advantage 2−n=2 in very little time against any such function. Such attacks were generalized to yield other time-space-advantage trade-offs in [7]. This is very counter-intuitive, as the best generic seed recovery attacks do not prevent n-bit security (for appropriate cost measure), and thus one would expect n bits of security in such a case to be possible. 2 The Peculiar Case of Approximate Samplers Many cryptographic schemes, in particular lattice based schemes, involve specific distributions that need to be sampled from during their execution. Furthermore, security reductions may assume that these distributions are sampled exactly. During the transition of such a cryptographic scheme from a theoretical construction to a practical implementation, the question arises as to how such a sampling algorithm should be implemented. In many cases, it is much more efficient or secure (against e.g. side channel attacks) or even only possible to approximate the corresponding distribution rather than generating it exactly. In such a case it is crucial to analyze how this approximation impacts the security of the scheme. Tradionally, statistical distance has been employed to quantify this trade-off between approximation and security guarantee, but it leads to the unfortunate situation where the 53-bit precision provided by floating point numbers (as implemented in hardware in commodity microprocessors) only puts a 2−53 bound on statistical distance, and results in a rather weak 53-bit security guarantee on the final application. Proving better security using statistical distance methods seems to require higher precision floating point numbers implemented in (substantially slower) software libraries.